FIRST INDUSTRIAL LP 10-K Cybersecurity GRC - 2024-02-14

Page last updated on April 11, 2024

FIRST INDUSTRIAL LP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-14 17:03:32 EST.

Filings

10-K filed on 2024-02-14

FIRST INDUSTRIAL LP filed an 10-K at 2024-02-14 17:03:32 EST
Accession Number: 0000921825-24-000018

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity risk is an important and continuously evolving focus for us, and significant resources are devoted to protecting and enhancing the security of computer systems, software, networks and our other technology assets. We have controls and systems in place to safely receive, protect and store information; collect, use, and share that information appropriately; and detect, contain and respond to data security and denial-of-service incidents. We identify material cyber risks by continually assessing external threats to understand evolving threats, developing issues and industry trends. Cybersecurity is an important and integrated part of the Company s enterprise risk management function that identifies, monitors and mitigates business, operational and legal risks. We view our main cyber risk areas to be attempts to gain unauthorized access to our data and computer systems and the data of third parties to which we may owe a duty of care through malware, ransomware, computer fraud, insider threat from persons inside our Company or persons with access to systems inside our Company, and other significant disruptions of our information technology networks and related systems. Our processes and controls to mitigate these cyber risks, categorized by five functional areas, Identify, Protect, Detect, Respond and Recover, are addressed below. The first step in our process is to Identify the risks related to our data, personnel, devices, systems and facilities. In connection with this phase, we do the following: Perform global risk assessments which include information technology risk areas including cyber and, in conjunction with this assessment, we engage leading security and technology vendors to periodically perform specific technical information technology risk assessments; Maintain a matrix that delineates roles and responsibilities for information security supporting significant financial applications, database and networks; Participate in various consortiums, associations and groups allowing us to share threat intelligence and collaborate with organizations across different industries to share best practices, fight cybercrime, enhance privacy, discuss new technologies, better understand the evolving regulatory environment, and advance capabilities in these areas; Conduct mandatory information security training for all employees and regularly test our employees several times a year for information security awareness and adherence to our information security recommendations; and Disclose our computer usage policy on our intranet and distribute to new employees. Next, we perform certain controls and processes in order to Protect against the identified risks. In connection with this phase, we do the following: Maintain controls and processes over access to our networks and computer systems including: (i) approval and restriction to appropriate personnel as well as ensuring powerful privileges are restricted and segregated to select information technology employees; (ii) utilize a password manager to protect encrypted passwords of power users; (iii) disable system and physical access of terminated employees in a timely manner; (iv) utilize two-factor authentication for remote access to the network; and (v) segregate internal network through the use of internal firewalls; Maintain physical security at our data center and backup recovery location including door access control system at the primary data center with surveillance; Block data intrusion to maintain confidentiality and integrity of our data via the following: (i) capacity of our servers and networks have an automated monitoring system; (ii) patch management controls on our key software including monitoring resources for patch criticality and reported issues as well as running vulnerability scans; (iii) 21 change logs are kept and updated on all of our key software; (iv) all major changes to hardware and infrastructure devices are performed and approved prior to production migration; (v) remote access is fully encrypted for all users; and (vi) internal firewalls are used to limit access to sensitive systems and applications; and Maintain controls and processes relating to payments we make to third parties by using a combination of internal controls around the setup, maintenance and archiving of records to reduce fraud and erroneous payments. We continually monitor our information system in order to Detect anomalous activity and verify the effectiveness of our protective measures. In connection with this phase, we do the following: Run extended detection and response software on our network at all times, which is comprehensive company-wide personal computer device security monitoring and active threat remediation software that is fully supported by staff and backed by a prevention warranty; Engage third-party specialists to periodically perform: (i) penetration testing, which is a simulated cyberattack against our computer system, in order to assess our ability to resist potential threats and attacks from external and internal sources; (ii) cyber dwelling, which determines if a threat actor has made its way or could make its way into our computer network and if confidential information was or could be compromised; and (iii) tabletop mock ransomware exercises to gauge our ability to react to an attack; Evaluate the technical control structure and competency for all new third-party software vendors and review cloud third-party software vendor s Service Organization Control reports, or reasonable substitutes, which give comfort on the maturity of the vendor s security controls; and Perform monthly mock phishing email exercises with our employees and provide additional training if needed. We have plans in place in order to Respond to detected cybersecurity incidents: Maintain written playbooks, which provide sequential instructions on the appropriate steps to take in the wake of various cyberattacks, including a playbook for each of the following: ransomware attack, a data breach, loss of third-party data and partial and full disaster recovery plans; and Retain a leading provider of incident response to assist us with a security incident as well as an attorney that serves as our data breach coach who specializes in data privacy and cyber security, and has relationships with third-party forensics investigators, crisis communications professionals and other services and organization we may need if a data breach is encountered. In order to Recover systems or assets affected by a cybersecurity incident, full backups of our business systems data are created, tested and kept at multiple locations in online and offline formats. While we have not, as of the date of this Form 10-K, experienced a cybersecurity threat or incident that resulted in a material adverse impact to our business, operations or financial condition, there can be no guarantee that we will not experience such an incident in the future. See Risk Factors for more information on our cybersecurity risks. Our Chief Information Officer, our Senior Director of Information Technology, our Director of Business Systems Applications and our Information Technology Security Manager oversee our cybersecurity program. Collectively, the team has decades of information technology experience and our Information Technology Security Manager holds a masters degree in Network Security. They meet on a regular basis and report to the Audit Committee at least annually on key cybersecurity risks as well as current and future cybersecurity strategy. As delegated by our Board of Directors, our Audit Committee is responsible for reviewing, with management, our internal control systems with respect to information technology security. The Audit Committee Chairperson is also involved in our annual overall risk assessment process. In addition to the foregoing, from time to time, the Board of Directors is updated concerning the Company s internal control systems with respect to information technology security. 22

Company Information